New type of phishing attack.

Browser tab napping. Pretty scary.

Senior Member

joined:May 8, 2003
posts:1141
votes: 0

This is a little scary, because it's so simple. I have considered myself pretty much safe from phishing attacks, but this might be the one I might fall for:

It works like this: If you have several browser tabs open, then visit a website in one tab and then switch to another tab, the website might check if it has lost the focus - then change it's contents including title tag and it's favicon.

The tab that was called "widget site" before and had the "widget site" favicon, might now be called "Gmail" or "Paypal" in the tab, display the favicon of this website in it's tab and might have replaced it's contents with the login site.

Just open this website in a new tab, then switch to another tab and wait five seconds and see what happens.

It affects browsers differently. Most affected is Firefox. In Firefox Favicon, Title and Content is changed. In Internet Explorer it does not display a favicon at all and Opera does not display a new favicon. Chrome does not seem to be affected.

Senior Member from US

joined:Nov 29, 2005
posts:7057
votes: 427

I am 1990s folk... I have ONE tab open at any time, and the second--when I opt for it--only open long enough to see that contents. There is a drawback to too many processes in use. Looking at this from the user side. And also seeing it from the giggle (sic) side as only small processes in use at any time expanded across multiple (x) processes (not processors) to get a job done.

Meanwhile commonsense is applied: if you only have one tab open, there's no way this newly discovered event can work against the user. Regardless of browser...

Reminded of those elder daze (sic) when multitasking was first introduced. And failures and reboots and... how cool is it that what has gone before comes back around to bite us in the arse? YMMV.

Senior Member

Firefox users need an extension that causes the address bar to flash red if the content of the page has changed between the time they moved to a new tab and when they came back to the tab.

They need to lock the content on the tab or something like that. A flashing tab wouldn't work on my banks site because it logs you out after x minutes of inactivity. A flashing tab would not be anything out of the ordinary.

Preferred Member

My strategy is still to use one browser exclusively for very secure things and never for anything else - seriously reduces the risk of things like this happening.

That's exactly what I started doing after I first became aware of cross-site scripting attacks. I use one browser and one browser only for bank logins, PayPal, brokerage accounts, affiliate accounts -- all financial sites and other sites of all types where there's a strong need for security. I never use that browser to visit any other sites. Then there are all the other browsers I have and use -- they're never used for any important logins.

If the "wrong" browser was suddenly showing me a login page for one of those accounts, it would immediately send up red flags.